Unsecured ElasticSearch Server Exposed Data on 1,133 NFL Players

Security researchers, and what appears to be at least one hacker, have found an ElasticSearch server left exposed online that was hosting information about 1,133 National Football League (NFL) players and agents.

According to the Kromtech Security Center, the security company that found the exposed data, the ElasticSearch server was being used to store data collected from a number of NFL domains.

The data included web analytics, but also information on NFL players. It is unknown if the data belongs to current, or past players.

ElasticSearch server left exposed online without a password

The source of the data appears to be Orchard Audit, a user tracking module for Orchard, an ASP.NET CMS. According to W3Techs, the NFLPA website uses the Orchard CMS.

Kromtech Chief Communication Officer Bob Diachenko says the ElasticSearch database where the CMS module was sending data was left exposed online, and anyone could access the server without authentication.

Sensitive data on NFL players and agents included as well

The most sensitive information was related to NFL players and agents. Kromtech says it found emails, mobile phone numbers, home addresses, and IP addresses used to sign-in and access the NFLPA dashboard.

Among the exposed data was also the personal details of former 49ers quarterback Colin Kaepernick. Kaepernick has previously told the media that he received numerous death threats following his decision to protest by taking a knee during the national anthem before NFL games last year. Similar protests have continued this year, even if Kaepernick has not found a new team for the current season, but he's still considered the face of the movement.

Kromtech said it informed the NFLPA about the exposed server and the Association secured it shortly after their email but did not respond to researchers.

Hacker left ransom note on NFLPA's server

In most leaks of this kind, the data is rarely accessed by another party. For this case, Diachenko says that at least one hacker has found the data.

According to Diachenko, somebody accessed the NFLPA ElasticSearch server on February 3, 2017, and left the following message inside the database.

Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.